Merge "Refactor CORS unit tests"

test/unit/proxy/test_server.py

@@ -6083,21 +6083,18 @@ class TestObjectController(unittest.TestCase):
                 7)
             self.assertEqual('999', resp.headers['access-control-max-age'])
 
-    def test_CORS_valid(self):
+    def _get_CORS_response(self, container_cors, strict_mode, object_get=None):
         with save_globals():
             controller = ReplicatedObjectController(
                 self.app, 'a', 'c', 'o')
 
             def stubContainerInfo(*args):
                 return {
-                    'cors': {
+                    'cors': container_cors
-                        'allow_origin': 'http://not.foo.bar',
-                        'expose_headers': 'X-Object-Meta-Color '
-                                          'X-Object-Meta-Color-Ex'
-                    }
                 }
+
             controller.container_info = stubContainerInfo
-            controller.app.strict_cors_mode = False
+            controller.app.strict_cors_mode = strict_mode
 
             def objectGET(controller, req):
                 return Response(headers={
@@ -6105,12 +6102,24 @@ class TestObjectController(unittest.TestCase):
                     'X-Super-Secret': 'hush',
                 })
 
+            mock_object_get = object_get or objectGET
+
             req = Request.blank(
                 '/v1/a/c/o.jpg',
                 {'REQUEST_METHOD': 'GET'},
                 headers={'Origin': 'http://foo.bar'})
 
-            resp = cors_validation(objectGET)(controller, req)
+            resp = cors_validation(mock_object_get)(controller, req)
+
+            return resp
+
+    def test_CORS_valid_non_strict(self):
+        # test expose_headers to non-allowed origins
+        container_cors = {'allow_origin': 'http://not.foo.bar',
+                          'expose_headers': 'X-Object-Meta-Color '
+                                            'X-Object-Meta-Color-Ex'}
+        resp = self._get_CORS_response(
+            container_cors=container_cors, strict_mode=False)
 
         self.assertEqual(200, resp.status_int)
         self.assertEqual('http://foo.bar',
@@ -6129,71 +6138,65 @@ class TestObjectController(unittest.TestCase):
                                 'x-object-meta-color-ex'])
         self.assertEqual(expected_exposed, exposed)
 
-            controller.app.strict_cors_mode = True
+        # test allow_origin *
-            req = Request.blank(
+        container_cors = {'allow_origin': '*'}
-                '/v1/a/c/o.jpg',
-                {'REQUEST_METHOD': 'GET'},
-                headers={'Origin': 'http://foo.bar'})
 
-            resp = cors_validation(objectGET)(controller, req)
+        resp = self._get_CORS_response(
+            container_cors=container_cors, strict_mode=False)
+        self.assertEqual(200, resp.status_int)
+        self.assertEqual('*',
+                         resp.headers['access-control-allow-origin'])
+
+        # test allow_origin empty
+        container_cors = {'allow_origin': ''}
+        resp = self._get_CORS_response(
+            container_cors=container_cors, strict_mode=False)
+        self.assertEqual(200, resp.status_int)
+        self.assertEqual('http://foo.bar',
+                         resp.headers['access-control-allow-origin'])
+
+    def test_CORS_valid_strict(self):
+        # test expose_headers to non-allowed origins
+        container_cors = {'allow_origin': 'http://not.foo.bar',
+                          'expose_headers': 'X-Object-Meta-Color '
+                                            'X-Object-Meta-Color-Ex'}
+        resp = self._get_CORS_response(
+            container_cors=container_cors, strict_mode=True)
 
         self.assertEqual(200, resp.status_int)
         self.assertNotIn('access-control-expose-headers', resp.headers)
         self.assertNotIn('access-control-allow-origin', resp.headers)
 
-            controller.app.strict_cors_mode = False
+        # test allow_origin *
-
+        container_cors = {'allow_origin': '*'}
-            def stubContainerInfoWithAsteriskAllowOrigin(*args):
-                return {
-                    'cors': {
-                        'allow_origin': '*'
-                    }
-                }
-            controller.container_info = \
-                stubContainerInfoWithAsteriskAllowOrigin
-
-            req = Request.blank(
-                '/v1/a/c/o.jpg',
-                {'REQUEST_METHOD': 'GET'},
-                headers={'Origin': 'http://foo.bar'})
-
-            resp = cors_validation(objectGET)(controller, req)
 
+        resp = self._get_CORS_response(
+            container_cors=container_cors, strict_mode=True)
         self.assertEqual(200, resp.status_int)
         self.assertEqual('*',
                          resp.headers['access-control-allow-origin'])
+        self.assertEqual('red', resp.headers['x-object-meta-color'])
+        # X-Super-Secret is in the response, but not "exposed"
+        self.assertEqual('hush', resp.headers['x-super-secret'])
+        self.assertIn('access-control-expose-headers', resp.headers)
+        exposed = set(
+            h.strip() for h in
+            resp.headers['access-control-expose-headers'].split(','))
+        expected_exposed = set(['cache-control', 'content-language',
+                                'content-type', 'expires', 'last-modified',
+                                'pragma', 'etag', 'x-timestamp',
+                                'x-trans-id', 'x-object-meta-color'])
+        self.assertEqual(expected_exposed, exposed)
 
-            def stubContainerInfoWithEmptyAllowOrigin(*args):
+        # test allow_origin empty
-                return {
+        container_cors = {'allow_origin': ''}
-                    'cors': {
+        resp = self._get_CORS_response(
-                        'allow_origin': ''
+            container_cors=container_cors, strict_mode=True)
-                    }
+        self.assertNotIn('access-control-expose-headers', resp.headers)
-                }
+        self.assertNotIn('access-control-allow-origin', resp.headers)
-            controller.container_info = stubContainerInfoWithEmptyAllowOrigin
-
-            req = Request.blank(
-                '/v1/a/c/o.jpg',
-                {'REQUEST_METHOD': 'GET'},
-                headers={'Origin': 'http://foo.bar'})
-
-            resp = cors_validation(objectGET)(controller, req)
-
-            self.assertEqual(200, resp.status_int)
-            self.assertEqual('http://foo.bar',
-                             resp.headers['access-control-allow-origin'])
 
     def test_CORS_valid_with_obj_headers(self):
-        with save_globals():
+        container_cors = {'allow_origin': 'http://foo.bar'}
-            controller = ReplicatedObjectController(
-                self.app, 'a', 'c', 'o')
-
-            def stubContainerInfo(*args):
-                return {
-                    'cors': {
-                        'allow_origin': 'http://foo.bar'
-                    }
-                }
-            controller.container_info = stubContainerInfo
 
         def objectGET(controller, req):
             return Response(headers={
@@ -6203,12 +6206,9 @@ class TestObjectController(unittest.TestCase):
                 'Access-Control-Expose-Headers': 'x-trans-id'
             })
 
-            req = Request.blank(
+        resp = self._get_CORS_response(
-                '/v1/a/c/o.jpg',
+            container_cors=container_cors, strict_mode=True,
-                {'REQUEST_METHOD': 'GET'},
+            object_get=objectGET)
-                headers={'Origin': 'http://foo.bar'})
-
-            resp = cors_validation(objectGET)(controller, req)
 
         self.assertEqual(200, resp.status_int)
         self.assertEqual('http://obj.origin',